Re: Comments on the EME opinion from Mark Watson on 2014-10-27 (www-tag@w3.org from October 2014)

From: Mark Watson <watsonm@netflix.com>
Date: Mon, 27 Oct 2014 07:29:17 -0700
To: Henri Sivonen <hsivonen@hsivonen.fi>
Cc: David Dorwin <ddorwin@google.com>, Domenic Denicola <domenic@domenicdenicola.com>, www-tag <www-tag@w3.org>
Message-ID: <CAEnTvdDHVf9_re7260EEPDa83MmGZee76_K7W9=R31j5kJzF5w@mail.gmail.com>

On Mon, Oct 27, 2014 at 4:02 AM, Henri Sivonen <hsivonen@hsivonen.fi> wrote:

> vOn Thu, Oct 23, 2014 at 3:26 AM, David Dorwin <ddorwin@google.com> wrote:
> >
> On Fri, Oct 24, 2014 at 12:31 PM, "Martin J. Dürst"
> <duerst@it.aoyama.ac.jp> wrote:
> > Just a (maybe stupid) question from a non-expert: When you speak about
> > HTTPS, would that require transmitting all the content (huge video
> > files,...) over HTTPS, or would that only/mainly apply to credential
> > exchanges/signup/... or whatever it's called that goes on before the
> actual
> > content is served?
>
> The problem is that if EME is restricted to https, it means that XHR
> on the same page can't fetch the video segments for MSE without
> tripping over the mixed-content blocker (taken together with the
> expense of serving the video segments over https).
>
> The obvious question that is whether it would be feasible to do
> something that'd make XHR from https to http not blocked. For example,
> could streaming services deliver hashes of the video segments to the
> JS app over https and could https to http XHR be unblocked if the JS
> app told XHR the expected MIME type and hash and those matched what
> XHR actually received?
>

FWIW, despite the logistics of managing hashes for the 100s of millions of
2-second segments* in our catalog, this would be far more financially
viable than using https.

However, whilst it solves the security issue, it doesn't help with privacy
in respect of which media files are being downloaded. Https doesn't fully
solve that on its own either, since one could fingerprint content through
observation of block response sizes, at least for VBR video.


>
> On Sat, Oct 25, 2014 at 1:13 AM, Mark Watson <watsonm@netflix.com> wrote:
> > But your tone suggests you think we have not even considered these
> > things. We have, and the discussion would be more productive if
> > comments were addressed to omissions, errors and suggestions for
> > improvement on the work we have actually already done.
>
> "What do actual UA+CDM combinations *do*?" is rather more relevant
> than "Has this been considered?"
>
> --
> Henri Sivonen
> hsivonen@hsivonen.fi
> https://hsivonen.fi/
>

Received on Monday, 27 October 2014 14:29:50 UTC